Rubrik File Object Context Analysis

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

This playbook will retrieve policy hits from Rubrik Security Cloud for a given object, for a particular file, folder, or file share.

Logic App Connectors

This playbook uses 4 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azureloganalyticsdatacollector`	Managed	1	2
`keyvault`	Managed	1	2
`teams`	Managed	1	0
`http`	Built-in	0	5

Action parameters (URLs, paths, function IDs)

Action	Method	Endpoint	Other
Send_Policy_Hits_data_to_log_analytics	post	`/api/logs`	—
Send_Data	post	`/api/logs`	—

Action	Method	Endpoint	Other
Get_Rubrik_ClientId	get	`/secrets/@{encodeURIComponent('Rubrik-AS-Int-ClientId')}/value`	—
Get_Rubrik_ClientSecret	get	`/secrets/@{encodeURIComponent('Rubrik-AS-Int-ClientSecret')}/value`	—

Action	Method	Endpoint	Other
Get_policy_hits_for_file_based_object	POST	`@{variables('BaseUrl')}/api/graphql`	—
Get_Object_List	POST	`@{variables('BaseUrl')}/api/graphql`	—
Get_Access_Token	POST	`@{variables('BaseUrl')}/api/client_token`	—
Get_Latest_SnapshotId_for_given_ObjectId	POST	`@{variables('BaseUrl')}/api/graphql`	—
HTTP	POST	`@{variables('BaseUrl')}/api/graphql`	—

📄 Source: RubrikFileObjectContextAnalysis/readme.md

This playbook will retrieve policy hits from Rubrik Security Cloud for a given object, for a particular file, folder, or file share.

The Rubrik Security Cloud solution should be configured to connect to Rubrik Security Cloud API end points using a Service Account, the service account should be assigned a role that includes the relevant privileges necessary to perform the desired operations (see Roles and Permissions in the Rubrik Security Cloud user guide).
Obtain Teams GroupId and ChannelId
- Create a Team with public channel.
- Click on three dots (...) present on right side of the your newly created teams channel and Get link to the channel.
- Copy the text from the link between /channel and /, decode it using online url decoder and copy it to use as channelId.
- Copy the text of groupId parameter from link to use as groupId.
Store Service account credentials in Key Vault and obtain keyvault name and tenantId
- Create a Key Vault with unique name
- Go to KeyVault -> secrets, click on Generate/import and create 'Rubrik-AS-Int-ClientId' & 'Rubrik-AS-Int-ClientSecret' for storing client_id and client_secret respectively NOTE: Make sure Permission model in Access Configuration of Keyvault is selected to Vault access policy. If not then change it to 'Vault access policy'

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:
- Playbook Name: Enter the playbook name here
- Teams Group Id: Id of the Teams Group where the adaptive card will be posted
- Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted
- Keyvault Name: Name of keyvault where secrets are stored.
- Tenant Id: TenantId where keyvault is located.
- BaseUrl: BaseUrl of the RubrikApi instance.
- LogAnalyticsWorkspaceId: Id of log analytics workspace where you want to ingest data in Microsoft Sentinel.
- LogAnalyticsWorkspaceKey: PrimaryKey of log analytics workspace where you want to ingest data in Microsoft Sentinel.
- PolicyHitsTableName: Tablename to store policyhits data of file object in Log Analytics Workspace.

Once deployment is complete, authorize each connection like keyvault, azureloganalytics, teams.

Add access policy for playbook's managed identity to read, write secrets of keyvault.

Go to logic app → → identity → System assigned Managed identity and copy Object (principal) ID.
Go to keyvaults → → Access policies → create.
Select all keys & secrets permissions. Click next.
In principal section, search by copied object ID. Click next.
Click review + create.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊